Configuring System Integrity Protection without booting to Recovery HD
One interesting part of Apple’s developer documentation for System Integrity Protection (SIP) is the note shown below, indicating that it’s possible to configure SIP for environments that can’t access Recovery.
When I followed up with Apple about this, I was told that this meant I could configure it using NetBoot, using a NetBoot set that included the needed Recovery environment.
This new type of NetBoot set is is designed to install only scripts, configuration profiles and packages as opposed to installing an OS. For more details, see below the jump.
To test this, I wrote a script that uses csrutil netboot add to add two IP addresses to the NetBoot whitelist.
Once I had my script written, I built a package-only NetBoot set using System Image Utility and added the script to it.
Once completed, I booted a VM running OS X El Capitan from the NetBoot set to verify that the process works.
To demonstrate how the process looks, I’ve made a video showing the following process:
- Running csrutil status and csrutil netboot list to show that the Mac has SIP enabled, but no entries in the NetBoot whitelist.
- NetBooting the VM from the packages-only NetBoot set
- The NetBoot set running the script and rebooting
- Running csrutil status to show that the Mac has SIP enabled and now also has the two IP addresses added to the NetBoot whitelist.
Note: The video has been edited to artificially reduce the amount of time it took to NetBoot and restart.